DSA-2021-243: Dell PowerScale OneFS Contains Security Update for Multiple Vulnerabilities.
Résumé: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Cet article concerne
Cet article ne concerne pas
Cet article n’est associé à aucun produit spécifique.
Toutes les versions du produit ne sont pas identifiées dans cet article.
Impact
High
Détails
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36350 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors. A remote unauthenticated attacker may potentially exploit this vulnerability and bypass one of the factors of authentication. | 5.9 | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Third-party Component | CVEs | More information |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 |
| Intel Platform | Multiple CVEs | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00463.html |
| cURL | Multiple CVEs | https://curl.se/docs/vuln-7.78.0.html |
| Python | CVE-2021-23336 | https://nvd.nist.gov/vuln/detail/CVE-2021-23336 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36350 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors. A remote unauthenticated attacker may potentially exploit this vulnerability and bypass one of the factors of authentication. | 5.9 | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Third-party Component | CVEs | More information |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 |
| Intel Platform | Multiple CVEs | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00463.html |
| cURL | Multiple CVEs | https://curl.se/docs/vuln-7.78.0.html |
| Python | CVE-2021-23336 | https://nvd.nist.gov/vuln/detail/CVE-2021-23336 |
Produits concernés et mesure corrective
| CVEs Addressed |
|
Updated Versions | Link to Update | |
| CVE-2021-3712 (OpenSSL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
|
| 9.3.0.x | Available from December (or later) RUP | |||
| 9.1.0.x, 9 and2.1.x | Download and install the latest RUP | |||
| Multiple CVEs (Intel) | All supported OneFS versions | Download and install the latest NFP for your node types | ||
| Multiple CVEs (cURL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-23336 (Python) | 8.2.1.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.x, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-36350 (PowerScale OneFS) | 8.2.1.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP |
| CVEs Addressed |
|
Updated Versions | Link to Update | |
| CVE-2021-3712 (OpenSSL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
|
| 9.3.0.x | Available from December (or later) RUP | |||
| 9.1.0.x, 9 and2.1.x | Download and install the latest RUP | |||
| Multiple CVEs (Intel) | All supported OneFS versions | Download and install the latest NFP for your node types | ||
| Multiple CVEs (cURL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-23336 (Python) | 8.2.1.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.x, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-36350 (PowerScale OneFS) | 8.2.1.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP |
Solutions de contournement et mesures d’atténuation
| CVEs Addressed | Workarounds or Mitigations |
| CVE-2021-3712 (OpenSSL) | Avoid granting the ISI_PRIV_AUTH_SSH RBAC role to non-administrators. |
| Multiple CVEs (Intel) | None |
| Multiple CVEs (cURL) | None |
| CVE-2021-23336 (Python) | None |
| CVE-2021-36350 (PowerScale OneFS) | Avoid configuring DUO for groups with spaces in their name, until you have patched your OneFS installation. |
Historique des révisions
| Revision | Date | Description |
| 1.0 | 2021-12-06 | Initial Release |
Informations connexes
Mention légale
Produits concernés
PowerScale OneFS, Product Security InformationPropriétés de l’article
Numéro d’article: 000194157
Type d’article: Dell Security Advisory
Dernière modification: 15 Feb 2022
Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell
Services de support
Vérifiez si votre appareil est couvert par les services de support.